BeyondTrust Patch Tuesday

July 13, 2010

Microsoft Patch Disclosure

This month, Microsoft released 4 patches which repair a total of 5 vulnerabilities. All 4 patches address Remote Code Execution vulnerabilities.
Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

MS10-42 and MS10-45 should be patched immediately. Administrators are advised to patch MS10-042 immediately, since it is publically known and is being exploited. MS10-045 needs to be patched immediately, since attackers will likely choose this in their attacks. Next, patch MS10-043 as soon as possible, since it is publicly known. Finally, patch MS10-044 after the other 3 bulletins have been addressed, since it is rated critical.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

BULLETIN / ADVISORY DETAILS

Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)

Microsoft Rating:

CVE:

CVE-2010-1885

Analysis:

A vulnerability exists in the Help and Support System of Windows, which could be exploited to give an attacker the ability to execute arbitrary remote code on a victim's system. To exploit this vulnerability, an attacker would need to convince a user to click a malicious link or visit a malicious web page. Once the user does either of these, if the user is running with Administrator privileges, the attacker would have gained complete control of the system.

Recommendation:

Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until the patch is rolled out, administrators should disable the HCP protocol, by first backing up and then removing the HKEY_CLASSES_ROOT\HCP key from the registry.

Microsoft Rating:

CVE:

CVE-2009-3678

Analysis:

A vulnerability exists in the Canonical Display Driver, due to how the Windows graphics device interface parses images. If an attacker were able to host a malicious image and convince a user to view it, the user's system would stop responding and eventually restart. Code execution is possible, but due to address randomization, it is unlikely that an attacker could successfully execute arbitrary code.

Recommendation:

Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this is possible, vulnerable systems that are running the Windows Aero Theme should disable Aero and set the theme to a basic theme.

Microsoft Rating:

CVE List:

CVE-2010-0814, CVE-2010-1881

Analysis:

Multiple vulnerabilities within Microsoft Access ActiveX controls that could be leveraged through a browser in order to compromise a system. In order for attackers to exploit this vulnerability they would need to trick a user into opening a malicious link or attachment that would reference the controls and trigger a memory corruption scenario. Attackers who were able to successfully exploit this attack would gain the same privileges as the currently logged in user.

Recommendation:

Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this is possible, certain COM objects should be prevented from running in Internet Explorer. Do this by setting Internet Explorer ActiveX kill bits for {53230327-172B-11D0-AD40-00A0C90DC8D9} and {53230322-172B-11d0-AD40-00A0C90DC8D9}.

Microsoft Rating:

CVE:

CVE-2010-0266

Analysis:

A vulnerability exists in all supported versions of Outlook through 2007, when parsing email attachments attached using the ATTACH_BY_REFERENCE portion of the PR_ATTACH_METHOD part of an email. An attacker would send a malicious email that would target this vulnerability in the attachment parsing, done by Outlook. If the victim opened the attachment, the vulnerability would be exploited giving the attacker the same access rights as the current user.

Recommendation:

Administrators should roll out this patch as soon as possible to vulnerable systems. Until this is possible, stop and disable the WebClient service, using services.msc.

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.